Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
73 commits
Select commit Hold shift + click to select a range
8d569fc
setting default keto dsn as secret
etaques Jan 19, 2024
0376d3d
Update Chart.yaml
etaques Jan 19, 2024
f3f505f
set with correct cmd for onprem
etaques Jan 19, 2024
6638e77
remove comment
etaques Jan 19, 2024
af6a255
Update nginx-internal.yaml
etaques Jan 19, 2024
4f15cbe
Update README.md
etaques Jan 19, 2024
b557f3b
Update values.yaml
etaques Jan 19, 2024
b07c3f4
Update values.yaml
etaques Jan 19, 2024
6fc4f15
Update nginx-internal.yaml
etaques Jan 19, 2024
8bd5655
Update .helmignore
etaques Jan 20, 2024
1e153cf
Update README.md
etaques Jan 21, 2024
10f8b52
Update values.yaml
etaques Jan 21, 2024
a4f3ab6
Update values.yaml
etaques Jan 21, 2024
03414c1
Update statefulset.yaml
etaques Jan 21, 2024
04f17f8
Update statefulset.yaml
etaques Jan 21, 2024
5b80d45
Update statefulset.yaml
etaques Jan 21, 2024
c47965b
Update values.yaml
etaques Jan 21, 2024
f7ae37c
Update README.md
etaques Jan 21, 2024
3f8f420
Update statefulset.yaml
etaques Jan 21, 2024
2c8c4ab
Update values.yaml
etaques Jan 21, 2024
a495c8b
Update nginx-internal.yaml
etaques Jan 21, 2024
bf28303
Update values.yaml
etaques Jan 21, 2024
2959b24
Update values.yaml
etaques Jan 21, 2024
b715a78
Create certificate.yaml
etaques Jan 21, 2024
e49601e
Update certificate.yaml
etaques Jan 21, 2024
6167e10
Update certificate.yaml
etaques Jan 21, 2024
6b3ebc4
Update README.md
etaques Jan 21, 2024
01fb5fa
Update values.yaml
etaques Jan 22, 2024
25caa0f
Update ingress.yaml
etaques Jan 22, 2024
77e5406
Update ingress.yaml
etaques Jan 22, 2024
bbb4606
Update ingress.yaml
etaques Jan 22, 2024
57dda2e
Update ingress.yaml
etaques Jan 22, 2024
f170757
Update ingress.yaml
etaques Jan 22, 2024
66a1c49
Update ingress.yaml
etaques Jan 22, 2024
8885341
Update ingress.yaml
etaques Jan 22, 2024
9f17cc9
Update ingress.yaml
etaques Jan 22, 2024
1e82e46
Create production-issuer-traefik.yaml
etaques Jan 22, 2024
ee74769
Rename production-issuer-tpt.yaml to production-issuer-nginx.yaml
etaques Jan 22, 2024
6b0c917
update traefik ingress
etaques Feb 1, 2024
0326901
Update ingress.yaml
etaques Feb 1, 2024
c0acb19
Update ingress.yaml
etaques Feb 1, 2024
940fd73
Update ingress.yaml
etaques Feb 1, 2024
c77a076
Update ingress.yaml
etaques Feb 1, 2024
32b3271
Update ingress.yaml
etaques Feb 1, 2024
6d425d4
Update ingress.yaml
etaques Feb 1, 2024
4f17853
Update ingress.yaml
etaques Feb 1, 2024
c9b8503
Update ingress.yaml
etaques Feb 1, 2024
add6e44
Update ingress.yaml
etaques Feb 1, 2024
0a1bbff
Update values.yaml
etaques Feb 1, 2024
5171b5e
Update values.yaml
etaques Feb 1, 2024
6b30f46
Update values.yaml
etaques Feb 1, 2024
11eeeba
Update values.yaml
etaques Feb 1, 2024
959906b
Update values.yaml
etaques Feb 1, 2024
462fc42
Update README.md
etaques Feb 1, 2024
0d2833b
Update values.yaml
etaques Feb 1, 2024
9b6dbcc
Update maestro-service-account.yaml
etaques Feb 1, 2024
df2e6f1
Update values.yaml
etaques Feb 1, 2024
abd594a
Update maestro-service-account.yaml
etaques Feb 2, 2024
f547a89
Update maestro-deployment.yaml
etaques Feb 2, 2024
40ce2e5
Update values.yaml
etaques Feb 2, 2024
3b907c7
Update maestro-deployment.yaml
etaques Feb 2, 2024
550a019
Update maestro-service-account.yaml
etaques Feb 2, 2024
323b82b
Update values.yaml
etaques Feb 2, 2024
4f76be0
Update maestro-deployment.yaml
etaques Feb 2, 2024
8935fc1
Update maestro-service-account.yaml
etaques Feb 2, 2024
d673778
Update maestro-service-account.yaml
etaques Feb 2, 2024
8b2443a
Update values.yaml
etaques Feb 2, 2024
ea5b40b
Update maestro-service-account.yaml
etaques Feb 2, 2024
07b1026
fix rbac
etaques Feb 2, 2024
d88dbcc
Update maestro-service-account.yaml
etaques Feb 2, 2024
30902a3
Update maestro-service-account.yaml
etaques Mar 26, 2024
1304cca
Update values.yaml
etaques Mar 27, 2024
e035a8a
Update maestro-service-account.yaml
etaques Mar 27, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions charts/orb/.helmignore
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
.DS_Store
# Common VCS dirs
.git/
issuers/
.gitignore
.bzr/
.bzrignore
Expand Down
2 changes: 1 addition & 1 deletion charts/orb/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ name: orb
description: Orb Observability Platform
icon: https://avatars1.githubusercontent.com/u/13207490
type: application
version: 1.0.54
version: 1.0.55
appVersion: "0.27.0"
home: https://getorb.io
sources:
Expand Down
59 changes: 49 additions & 10 deletions charts/orb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,11 @@ helm repo update
helm dependency update
```

* Create `orb` namespace
* Create `orb` and `otelcollectors` namespace

```
kubectl create namespace orb
kubectl create namespace otelcollectors
```

* Create JWT signing key secret
Expand All @@ -44,7 +45,7 @@ kubectl create secret generic orb-sinks-encryption-key --from-literal=key=mainfl

* Create keto dsn secret
```
kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgres:password@db.host.com:5432/keto' -n orb
kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgres:orb@orb-postgresql-keto:5432/keto' -n orb
```

* Create admin user secrets
Expand All @@ -53,12 +54,28 @@ kubectl create secret generic orb-keto-dsn --from-literal=dsn='postgres://postgr
kubectl create secret generic orb-user-service --from-literal=adminEmail=user@example.com --from-literal=adminPassword=12345678 -n orb
```

* Install orb. Replace `orb` with your helm release name, also set your HOSTNAME as a valid domain to expose service properly, remember that should generate a certificate for that.
Check the [optional variables](#optional-variables-to-set) for more options.

```
helm install --set ingress.hostname=HOSTNAME -n orb orb .
```

On <b>AWS EKS</b>:
Once that you can update your ingress controller (AWS LoadBalancer) using helm, a good solution could be you open the MQTT port on the cluster loadbalancer and redirect it to <b>orb-nginx-internal</b> pod as below:
* Deploy [ingres-nginx helm](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) (to default namespace) with
tcp config map configured from helm for 8883 (MQTTS). Note you need to reference both namespace and helm release name
here!

```
helm install --set tcp.8883=orb/my-orb-nginx-internal:8883 ingress-nginx ingress-nginx/ingress-nginx
helm install --set tcp.8883=orb/orb-nginx-internal:8883 ingress-nginx ingress-nginx/ingress-nginx
```

On <b>On-Premise kubernetes cluster</b>:
The best approach is use nginx-internal as service type LoadBalancer on your values.yaml to expose your MQTT port externally

```
helm install --set tcp.8883=orb/orb-nginx-internal:8883 ingress-nginx ingress-nginx/ingress-nginx
```

* Wait for an external IP to be available
Expand All @@ -76,16 +93,38 @@ helm install cert-manager jetstack/cert-manager --namespace cert-manager --creat
```

* Create Issuer CRDs (in the `orb` namespace!)
* `cp issuers/production-issuer-tpt.yaml issuers/production-issuer.yaml`
* edit `issuers/production-issuer.yaml` and change `spec.acme.email` to a real email address
* `kubectl create -f issuers/production-issuer.yaml -n orb`

* Install orb. Replace `my-orb` with your helm release name.
Check the [optional variables](#optional-variables-to-set) for more options.
If you are using nginx as ingress controller:
```
cp issuers/production-issuer-nginx.yaml issuers/production-issuer.yaml
```
If you are using traefik as ingress controller:
```
cp issuers/production-issuer-traefik.yaml issuers/production-issuer.yaml
```
* edit `issuers/production-issuer.yaml` and change `spec.acme.email` to a real email address
```
kubectl apply -f issuers/production-issuer.yaml -n orb
```
* Create Certificate (in the `orb` namespace!)
```
kubectl apply -f issuers/production-issuer.yaml -n orb
```

To restart entire deployment:

```
kubectl rollout restart deployment -n orb
```

## Known-bug:
Sometimes on the first run, postgres can have a problem to seed your password. To fix this, you have to manually remove the persistent volume claim (PVC) which will free up the database storage.

```
helm install --set ingress.hostname=HOSTNAME -n orb my-orb .
kubectl delete pvc data-my-db-postgresql-0
```
(Or whatever the PVC associated with your initial Helm install was named.)
After remove the pvc, you need to restart the respective pod.

### Optional variables to set
- **SMTP**
Expand All @@ -96,4 +135,4 @@ helm install --set ingress.hostname=HOSTNAME -n orb my-orb .
- `smtp.fromName`: E-mail sender display name. Defaults to `Orb`.
- `smtp.fromAddress`: E-mail address of the sender.
- `smtp.usernmame`: username used when authenticating to the SMTP server used for sending e-emails.
- `smtp.password`: password used when authenticating to the SMTP server used for sending e-emails.
- `smtp.password`: password used when authenticating to the SMTP server used for sending e-emails.
12 changes: 12 additions & 0 deletions charts/orb/issuers/certificate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: orb-tls
namespace: orb
spec:
dnsNames:
- orb.example.com
secretName: orb-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
24 changes: 24 additions & 0 deletions charts/orb/issuers/production-issuer-traefik.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: user@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: traefik
ingressTemplate:
metadata:
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: "web"
traefik.ingress.kubernetes.io/router.tls: "false"
traefik.ingress.kubernetes.io/router.priority: "42"
114 changes: 113 additions & 1 deletion charts/orb/templates/ingress.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Copyright (c) Mainflux
# SPDX-License-Identifier: Apache-2.0

{{- if eq .Values.ingress.ingressClassName "nginx" }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
Expand Down Expand Up @@ -34,6 +34,8 @@ spec:
- {{ .Values.ingress.hostname }}
secretName: {{ .Values.ingress.secret }}
---
{{- end }}
{{- if eq .Values.ingress.ingressClassName "nginx" }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
Expand Down Expand Up @@ -122,3 +124,113 @@ spec:
- hosts:
- {{ .Values.ingress.hostname }}
secretName: {{ .Values.ingress.secret }}
{{- end }}
{{- if eq .Values.ingress.ingressClassName "traefik" }}
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: orb-stripprefix
namespace: {{ .Release.Namespace }}
spec:
stripPrefix:
prefixes:
- /api/v1
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
annotations:
{{- if .Values.ingress.annotationsTraefik }}
{{ toYaml .Values.ingress.annotationsTraefik | indent 4 }}
{{- end }}
name: {{ .Release.Name }}-traefik-ingress
namespace: {{ .Release.Namespace }}
spec:
entryPoints:
- web
- websecure
routes:
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/users`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/password`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/tokens`)
kind: Rule
services:
- name: {{ .Release.Name }}-users
port: {{ .Values.users.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/keys`)
kind: Rule
services:
- name: {{ .Release.Name }}-auth
port: {{ default .Values.auth.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agents`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/agent_groups`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ default .Values.fleet.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/sinks`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/policies`)
kind: Rule
services:
- name: {{ .Release.Name }}-policies
port: {{ default .Values.policies.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/sinks`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/api/v1/features/authenticationtypes`)
kind: Rule
services:
- name: {{ .Release.Name }}-sinks
port: {{ default .Values.sinks.httpPort }}
middlewares:
- name: orb-stripprefix
- match: Host(`{{ .Values.ingress.hostname }}`) && PathPrefix(`/version`)
kind: Rule
services:
- name: {{ .Release.Name }}-fleet
port: {{ .Values.fleet.httpPort }}
- match: Host(`{{ required "an ingress.hostname is required!" .Values.ingress.hostname }}`) && PathPrefix(`/`)
kind: Rule
services:
- name: {{ .Release.Name }}-ui
port: {{ .Values.ui.port }}
tls:
secretName: {{ .Values.ingress.secret }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/orb/templates/maestro-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ spec:
app: {{ .Release.Name }}
component: maestro
spec:
serviceAccountName: k8s-maestro-role
serviceAccountName: {{ .Values.maestro.rbac.serviceAccountName }}
containers:
- env:
- name: ORB_SINKS_SECRET_KEY
Expand Down
58 changes: 50 additions & 8 deletions charts/orb/templates/maestro-service-account.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,32 +2,74 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.maestro.rbac.serviceAccountName }}
name: k8s-maestro-sa
{{- if .Values.maestro.rbac.createServiceAccountTokenSecret }}
secrets:
- name: {{ .Release.Name }}-maestro-k8s-secret
{{ end }}
{{- if .Values.maestro.rbac.createServiceAccountTokenSecret }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-maestro-k8s-secret
annotations:
kubernetes.io/service-account.name: k8s-maestro-sa
type: kubernetes.io/service-account-token
{{ end }}
{{- if .Values.maestro.rbac.ClusterRoleBindingCreate }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: maestro-cluster-role
# "namespace" omitted since ClusterRoles are not namespaced
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Values.maestro.rbac.serviceAccountName }}
name: k8s-maestro-rb
subjects:
- kind: ServiceAccount
name: {{ .Values.maestro.rbac.serviceAccountName }}
name: k8s-maestro-sa
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
roleRef:
kind: ClusterRole
name: {{ .Values.maestro.rbac.ClusterRole }}
name: maestro-cluster-role
apiGroup: rbac.authorization.k8s.io
{{ else }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: maestro-role
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Values.maestro.rbac.serviceAccountName }}
name: k8s-maestro-rb
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
subjects:
- kind: ServiceAccount
name: {{ .Values.maestro.rbac.serviceAccountName }}
name: k8s-maestro-sa
namespace: {{ .Values.maestro.rbac.serviceAccountNamespace }}
roleRef:
kind: ClusterRole
name: {{ .Values.maestro.rbac.ClusterRole }}
kind: Role
name: maestro-role
apiGroup: rbac.authorization.k8s.io
{{ end }}
Loading